ATM Skimming Threats Evolve

Fraudsters Find New Ways to Work Around Traditional Defenses

federal court in Newark, N.J., last week convicted a Bulgarian man for his role in a cross-border, $278,144 ATM fraud scheme that led to the compromise of nearly 350 bank accounts.

Viktor Kafalov, 28, pleaded guilty to charges of conspiracy to commit bank fraud and aggravated identity theft. He could be slapped with fines totaling $1 million and up to 30 years in prison.

The case goes back to September 2008, when Kafalov and co-conspirators used fake or "white" ATM cards they had created from skimmed magnetic-stripe details they collected at ATMs in the U.S. and Canada. With cameras mounted at compromised ATMs, the gang also recorded PIN details, to associate with the skimmed numbers, as consumers attempted to use the ATMs. From there, funds were withdrawn from ATMs that hit New York accounts in Brooklyn, Queens, Manhattan and Long Island.

ATM Skimming: Still No.1

Though incidents of card fraud vary, and some techniques have increased in sophistication, tried-and-true ATM skimming remains one of the payment card industry's greatest threats.

POS swap attacks that target retailers and the installation of skimming devices on pay-at-the-pump gas terminals, which often remotely transmit card details once they're skimmed, have garnered attention in recent months. But those attacks come nowhere close to rivaling the number of ATM skimming incidents the industry continues to battle globally.

Around $350,000 U.S. dollars is lost worldwide daily to incidents of ATM skimming, says ID theft expert Robert Siciliano. "Definitely, worldwide, more money is taken from ATMs," he says. "We're seeing more and more all-in-one systems, like skimmers with the pinhole camera all built into one. And we're seeing some systems with the keypad overlay built in. It's just getting easier and easier to do."

Incidents Up in Parts of Europe

Lachlan Gunn, director of the European ATM Security Team, says despite great strides made toward adoption of the Europay MasterCard, Visa standard in Europe, ATM skimming remains a problem for European banks. "Ninety-five percent of ATMs in Europe are now EMV compliant, and for a long time we had seen skimming incidents going down," Gunn says. "But now we see incidents going back up. The bad guys know that chip and PIN/EMV is making skimming more difficult, so they go to where they can use the mag-stripe. For your side of the pond, that should be disturbing."

According to EAST's April update, in 2010 overall ATM fraud losses dropped 14 percent in 22 European states - Austria, Belgium, Cyprus, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Slovakia, Spain, Sweden, Switzerland, and the United Kingdom. Those states have a total installed base of nearly 370,000 ATMs.

"That being said, these statistics are for Europe as a whole, and seven out of the 22 contributing countries reported an increase in skimming-related losses, a significant increase in some cases," Gunn says. About 82 percent of ATM-related skimming losses hitting those EMV-compliant countries are coming in from outside European borders. The risk comes in when counterfeit EMV cards, created with skimmed mag-stripe details, are used at ATMs in parts of the world that are not EMV compliant, Gunn says.

ATMs: Where the Money Is

ATMs remain the fraudster's primary targets, because they offer the greatest monetary reward. And it's the financial institution ATMs that are most-often hit. [See 10 Tips to Improve ATM Security]

Chuck Somers, vice president of ATM Security and Systems for Diebold Inc., one of the world's top three ATM manufacturers, says skimming losses remain banking institutions' greatest ATM fraud concern. When compared with physical attacks, such as ram raids and break-ins, and logical security breaches, such as the injection of malware, skimming is the most common.

"The largest of the three, in terms of losses to institutions, is fraud," Somers says. "The fraud typically occurs via the attachment of external skimmers onto the machine with some sort of a PIN-recording device. ... There's a high ROI on this crime."